chore(mdm): skip macOS TCC-protected directories

[shubham-stepsecurity]

What does this PR do?

Type of change

• Bug fix
• Enhancement
• Documentation

Testing

• Tested on macOS (version: ___)
• Binary runs without errors: ./stepsecurity-dev-machine-guard --verbose
• JSON output is valid: ./stepsecurity-dev-machine-guard --json | python3 -m json.tool
• No secrets or credentials included
• Lint passes: make lint
• Tests pass: make test

Related Issues

[Copilot]

Pull request overview

This PR introduces a macOS TCC (Transparency, Consent, and Control) “skipper” to avoid walking into well-known TCC-protected directories during filesystem discovery, preventing permission prompts when the agent runs without Full Disk Access.

Changes:

• Added a new internal/tcc package that identifies TCC-protected paths (darwin) and behaves as a no-op on non-darwin platforms, with unit tests for both.
• Plumbed the skipper into directory-walking detectors (Node/Python project discovery and .npmrc discovery) and wired it into both community scan and enterprise telemetry flows.
• Added --include-tcc-protected CLI flag to opt into scanning these protected directories, plus logging of configured skip candidates and “hit” paths encountered during walks.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
internal/telemetry/telemetry.go	Creates and wires a TCC skipper into enterprise telemetry scans; logs skip candidates and encountered skips.
internal/scan/scanner.go	Creates and wires a TCC skipper into community scans; warns when skipping protected dirs and logs encountered skips.
internal/tcc/tcc.go	Implements the platform-agnostic skipper API (ShouldSkip/Candidates/Hits) and hit tracking.
internal/tcc/tcc_darwin.go	Defines macOS-specific protected home-relative paths and absolute-prefix rules (e.g., Time Machine).
internal/tcc/tcc_other.go	Provides non-darwin no-op implementations for protected paths/prefixes.
internal/tcc/tcc_darwin_test.go	Adds darwin-specific unit tests for skip behavior, nil-safety, and candidate ordering.
internal/tcc/tcc_other_test.go	Adds non-darwin unit test verifying skipper is a no-op.
internal/detector/nodeproject.go	Skips TCC-protected directories during Node project discovery walk.
internal/detector/pythonproject.go	Skips TCC-protected directories during Python project discovery walk.
internal/detector/nodescan.go	Skips TCC-protected directories during enterprise Node project discovery phase.
internal/detector/configaudit/npmrc.go	Skips TCC-protected directories during .npmrc discovery walk.
internal/cli/cli.go	Adds --include-tcc-protected flag to config, parsing, and help text.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ashishkurmi]

1. launchd vs direct invocation